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1 Introduction 

Solving the word problem requires to decide whether an equation s«t follows from an equa- 
tional system (ES) £. By Birkhoff's theorem this is equivalent to the existence of a conversion 
s t. Knuth-Bendix completion [5] (if successful) gives a decision procedure: If an ES £ is 
transformed into an equivalent convergent term rewrite system (TRS) TZ, then s <R-£ t iff the 
7?.-normal forms of s and t coincide. (Note that completion does not construct such conversions 
. explicitly.) 

Example 1. For £ = {ff » f, ggf ss g} (where f and g are unary function symbols, for 
which we find it convenient to abbreviate f(g(f(x))) to fgf etc.) a possible choice of TZ is 
{ff — > f, gf — > g, gg — >• g}. Since fgf — ^ fg fgg, we have that fgf w fgg follows from £ . 



> 



When we want to answer/certify whether s <H>£ t, we face the following situation: (1) It 



is hard to find a conversion but easy to certify a given one. (2) Under the assumption that 
Knuth-Bendix completion is successful, it is easy to decide the existence of a conversion (just 
rewrite s and t to TZ- normal forms) but hard to certify this decision (e.g., by certifying that £ 
and TZ are equivalent). 

In this paper we introduce recording completion, which overcomes both problems. Recording 
completion keeps a history that allows us to reconstruct how the rules in TZ have been derived 
l/") ■ from the equations in £ . Then, from a join s ■ ^-<— t a conversion s -H-g t can be 

reconstructed. Furthermore, recording completion enables the certification of completion proofs, 
i.e., to check that TZ and £ are equivalent. Using equivalence together with confluence and 
termination certificates, it is also possible to certify that a conversion s <H>£ t does not exist. 

In addition to formalizing all required theorems like the critical pair theorem and soundness 
of completion, we have proven two new results: For finite completion proofs, i.e., where the 
completion procedure stops successfully after a finite number of steps, the strict encompassment 
condition (in the collapse-rule of Figure 1) is not required. Moreover, an infinite set of variables 
is essential for the critical pair theorem as well as modularity of confluence [8]. 

[ 

2 Proof Construction via Recording Completion 

We extend the inference rules of completion [1] by a history component which allows us to 
infer how rules in TZ have been derived from equations in £. The construction of a conversion 
s £ t (if possible at all) is then executed in three phases: (record) The inference rules of 
recording completion (see Figure 1) are applied to the ES £. Upon success, a convergent 
TRS TZ (equivalent to £ ) and a history T-L (recording how the rules in TZ have been derived) 
are computed, (compare) If the previous phase is successful, the test for s — >^ • £<r- t is 
performed, (recall) If the previous phase is successful, we construct s <H>£ t from s — >^ ■ £<— t. 
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(£,K,U) ., j k t 

(deduce) II S n -tr- U — >fi t 



(£11 {m: s&t},K,HU{m: s^-uAt}) 
(£11 {i: s^t},ll,H) 



(£,UU{i: s^t},U) 



(orient,) if S > t 



(£ U{i: s ^t},TZ,HU{i: somo'i}) 

(orient,) II t > S 



(£,KU{i: t->s},HU{i: t (o^y 1 u (o^ 1 s}) 



(simplify,) II S — W 



(£ U {to: w t},TZ,HU {to: uf-s4 t}) 

(£ U {z : s^t},K,H) 

(£U{m: s ps u},TZ,nu {to: sAiAu}) 



(£U{i: s w s},^,H U {i: s o x u o 2 s}) 

(delete) 



(£,72U {to: s -> u},H U {m: s4Au}) 
(£,72U {i: s ->• t},H) 



(simplify,) if t — >TZ U 



(compose) if t — ^7^ U 



(collapse) if S —t-R, U 

(£ U {to: u ps t},1Z,HU {m: u-C-s-^t}) 

Figure 1: The inference rules of recording completion. 



In the sequel we give more details for each of the phases. 



Record. The record phase uses the inference rules from Figure 1 where every rule/equation is 
annotated by a unique index i. Here, A-r denotes an ^-reduction using the rule with index i. 
The inference rules are similar to the standard rules except for the following two differences: In 
the collapse-rule we dropped the condition of strict encompassment. Since we only consider finite 
runs, this condition is no longer required for soundness (cf. Theorem^!). Furthermore, there is 
a new history component % whose entries are of the form i : s oj ti o 2 ( where i is the index of 
the entry, j and k are indices of equations/rules, s, u, and t are terms, and o l5 o 2 G {^— , — ^~}- 

Let us take a closer look at the extended inference rules. For deduce the peak s H—r u t 
that triggers the new equation s ps t is stored in a history entry (where to is assumed to be a 
fresh index that is larger than every earlier index). By orienti we orient an equation from left 
to right and the corresponding history entry remains unchanged, whereas by orient,- we orient 
an equation from right to left and thus have to "mirror" the corresponding history entry. Here 
> is a reduction order, which is part of the input. The rules simplify, and simplify,, are used to 
72-rewrite a left- or right-hand side of an equation. With delete we remove trivial equations 
from £ and the corresponding history entry from %. Finally, compose rewrites a right-hand side 
of a rule in 72. while collapse does the same for left-hand sides. 

We write (£i, IZi, Hi) ~» (£i+i, TZi+i, %i+i) for the application of an arbitrary inference rule 
to the triple (£i,TZi,Hi) resulting in (£i+\, Hi+i, Hi+i). 

Definition 1. A run of recording completion for £ is a finite sequence (£q : 7^q 7 T~Lq) ~~> n 
(£ n ,lZ n ,'H n ) of rule applications, where £q = {i : s rs t \ s ps t 6 £ } with fresh index i 
for each equation, TZq — 0, and the initial history is Hq — {i : s — s>tpst|i:s«ie £q}. A 
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£o 




f 








1: ff « f 


1: ffAfwf 


1: 


ff -> f 


1 




2: ggf » g 


2: ggf A g « g 


4: 


gf ^ g 


2 


ggf -> g M g 






5: 


gg -> g 


3 


ggf «- ggff A gf 










4 


, 3 r 2 

gf ^ ggf ^ g 










5 


gg A ggf A g 



(a) Initial state. 



(b) Final state. 



Table 2: Example of recording completion. 



run is successful if £ n — and all critical pairs of 7t n that are not contained in (J i<n £% are 
joinable by TZ n . A run is sound if lZ n is convergent and equivalent to £q. 

The requirement on critical pairs for a successful run can be replaced by local confluence of 
Kn- 

Example 2. Recall £ from Example 1. We start with the triple depicted in Table 2(a) and 
perform recording completion. Note that LPO with empty precedence orients all emerging 
rules in the desired direction. After orienting rules 1 and 2 from left to right we deduce a 
critical pair between rules 2 and 1, resulting in the equation 3 : ggf « gf and the history entry 
3 : ggf <— ggff— >gf . Next we simplify the left-hand side of equation 3 by an application of rule 2 
and obtain the equation 4 : g ps gf with corresponding history entry 4 : g-<— ggf— s-gf . Orienting 
rule 4 from right to left causes the history entry to be mirrored, i.e., 4 : gf^ggfAg. Rules 2 
and 4 allow to deduce equation 5 : gg ~ g with history 5 : gg^ggf -^g, which we orient from left 
to right. Collapsing the left-hand side of rule 2 with rule 5 yields 6 : gf « g with 6 : gf<— ggf— s-g. 
Now rule 4 simplifies equation 6 into 7:g«g with 7 : g<s— gf— s-g, which is immediately deleted 
afterwards. Finally, £ n is empty and as all remaining critical pairs of lZ n are joinable, the 
procedure can be stopped. Since there is no rule with index 6, the history entry 6 can be 
dropped. Hence, we obtain the result depicted in Table 2(b) where TZ n is convergent and 
equivalent to £q. 

We have formalized soundness of recording completion in IsaFoR [7] (sec Completion, thy). 
Theorem 1. Every successful run of recording completion is sound. □ 

Compare. Let (£,0,7io) (0,1Z, H n ) be a successful run of recording completion and 
s » t an equation. In the compare phase we test joinability of the terms s and t with respect 
to 1Z. If the two terms are joinable, then s ss t follows from £ and the next phase constructs an 
^-conversion s -f-^ t. Otherwise, s 76 t w.r.t. £. The compare phase is sound (cf. Theorem 1). 

Recall. Let (£,0,TLo) (0,TZ,'H n ) be a run of recording completion. Then the recall 
phase transforms a join s — >^ • ^^s— t into a conversion s o£ t as follows. For each step t\^rt2 
where the index i is not in £ the corresponding history entry is. inserted. Let i : £ — > r be 
the rule with index i. Then there must be a history entry i:fo 1 iio 2 r, a position p, and a 
substitution a such that t\\ v = la and £2 |p = ro~. The step t\-^tti is replaced by the conversion 
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t\ o\ ti[ua] p o 2 t<i. This process terminates since % > j,k, i.e., any history entry (not in Ho) 
refers to smaller indices and finally we arrive at a conversion using indices from £. 

The next lemma states the desired property of the recall phase. Note that we do not need 
a successful run of recording completion but any join s — ^ ■ £<r- t is transformed into s t. 

Lemma 1. Let (£,0,Hq) "~* n (£ n ,lZ,'H n ) be a run of recording completion. Then the recall 
phase transforms any join using rules from 7Z into a conversion using rules from £ . □ 

Alternatively, one can ensure <H>^ C o£ to derive s i.from s — >^ ■ t. The former 
can be established by showing that all history entries i: s'o 1 uo 2 t' are consequences of £ (i.e., 
s' t') and can thus be used as auxiliary equations. To avoid cyclic references, history 
entries are processed in order of their indices. This approach requires the certifier to support 
such auxiliary equations. In return, proofs become much shorter as the history itself is the 
proof of C f>J which obviously has linear size. In contrast, the recall phase might produce 
certificates where the conversion s -H>£ t is exponentially larger than the join s — >^ • t. 

3 Formalization and Certification 

To maximize the reliability of the computed results, we have developed a verified certifier 
using the proof assistant Isabelle/HOL. Based on IsaFoR [7] the code generation facilities of 
Isabelle/HOL allow to generate the verified certifier CelA, which is able to certify or falsify 
conversions, completion proofs, and equational proofs and disproofs which are performed via 
completion. 1 For the latter, although Theorem 1 has been formalized, it is not checked whether 
the completion rules are applied correctly. Instead it is just verified if the result of the completion 
procedure is a convergent TRS equivalent to the initial set of equations. 

To decide whether s •H-J t holds it suffices to find a convergent TRS 7Z that is equivalent to 
£ and decide whether the TZ- normal forms of s and t coincide. 

For equivalence of 1Z and £ we have to consider two directions. To decide <H>£ C -f-^, by 
convergence of 1Z we just have to check that for all s « t € £ , the 7?.-normal forms of s and t 
coincide. For the other direction, C we have to guarantee I <H>£ r for all I — > r e 1Z. 
Here, we use the information from recording completion to get the required derivations. 

Hence, to certify that such a proof is correct we have to guarantee that 7Z is convergent by 
showing termination and local confluence. Concerning termination, already several techniques 
have been formalized in IsaFoR. Hence, the new part is on the certification of local confluence. 
Here, the key technique is the critical pair theorem of Huet [3] — making a result by Knuth and 
Bendix [5] explicit. It states that 1Z is locally confluent iff all critical pairs of 1Z are joinable. 

During the formalization we detected that in general (no assumption on the set of vari- 
ables V) there is a problem of renaming variables in rules for building critical pairs. To solve 
this problem without demanding an infinite set of variables, we see two alternatives: Either 
keep the set of variables and when building critical pairs try to rename variables apart as good 
as possible; or use an enlarged set of variables in the definition of critical pairs (so that there 
are enough variables to perform renamings). It turns out that for both alternatives the critical 
pair theorem does not hold. 

For the first alternative it is easy to see that joinability of critical pairs does not imply local 
confluence. To this end, consider V — {x} and 7Z = {f(a, x) — > a,f(x, b) —> b}. This TRS is not 
locally confluent due to the peak a <— f(a, b) — > b. But without changing V it is not possible to 



1 Both IsaFoR and CelA are freely available from http://cl-informatik.uibk.ac.at/softuare/ceta/. 
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f(g(gOi. 



X2): 



K 2 

h(g(t,xi), h(x 2 ,x 3 )) -> c 

h(g(xi,t), h(x 2 ,x 3 )) -> c 

h(xi,h(g(t,x 2 ),X3)) -> c 

h(xi,h(g(x2,*),x 3 )) -> c 

h(xi,h(x 2 ,g(t, £3))) -> c 

h(xi, h(x 2 ,g(x 3 ,t))) -> c 



x 2 ),g(x 3 ,x 4 )) -> h(xi,h(x 2 ,g(x 3 ,x 4 ))) 
g(x 3 ,x 4 )),x 5 ) -» h(x 5 , h(g(xi,x 2 ),g(x 3 ,x 4 ))) 



ft 3 

h(g(y, Xi ), h(g(x 2 , x 3 ), g(x 4 , x 5 ))) -> c 
h(g(xi,j/), h(g(x 2 ,x 3 ),g(x 4 ,x 5 ))) -> c 
h(g(xi,x 2 ) ! h(g(y,x 3 ) ! g(x4,x 5 ))) -> c 
h(g(xi,x 2 ),h(g(x 3 ,y),g(x 4 ,x 5 ))) -» c 
h(g(xi,x 2 ),h(g(x 3 ,x 4 ),g(y,x 5 ))) -> c 
h(g(xi,x 2 ),h(g(x 3 ,x 4 ),g(x 5 ,y))) ->■ c 



TZ 4 
h(xi,c) 



->■ c 



Table 3: Rule schema for 1Z C with y 6 V and i G {c, f (x 4 , X5), g(x 4 , X5), h(x 4 , Xg)}. 



rename the variables of the two rules in 1Z apart, such that their left-hand sides are unifiable. 
Hence, for the first alternative all critical pairs are joinable. 

For the second alternative, 1Z may be locally confluent although not every critical pair is 
joinable: the next example shows that if V is finite and 1Z is locally confluent, then it need not 
be the case that all critical pairs of 7Z are joinable. 

Example 3. Let 1Z C = Ui=i ^ be the TRS over JF = {f, g, h, c} and V = {xi, . . . , X5} depicted 
in Table 3. It is constructed in such a way that each term h(g(£i,t 2 ), h(g(i 3 , f 4 ), g(i 5 , t§))) can 
be reduced to c (via 7^ 2 if some ti is not a variable and via IZ3 if U = tj for i < j). Since there 
are only five different variables in V, indeed every term h(g(i 4 , t%), h(g(t3, ti), g(tg,te))) can be 
reduced to c. Moreover, all critical pairs, for which one of the rules is taken from 1Z C \ TZi, are 
joinable. Hence, the only critical pair that remains to be considered arises between the two 
rules of TZi where u = f(g(g(x 4 , x 2 ), g(x 3 , x 4 )), g(x 5 , x 6 )): 

h(g(xi, x 2 ), h(g(x 3 , x 4 ), g(x 5 , x 6 ))) <- u -> h(g(x 5 , x 6 ), h(g(x 4 , x 2 ), g(x 3 , x 4 ))) 

This critical pair is not joinable, as both terms are 7?. c -normal forms. However, 1Z C is confluent 
since every instance of the critical pair (w.r.t. T^T, V)) is joinable to c. 

The example shows that confluence depends on the set of variables which most often is 
assumed to be infinite. Without this assumption, the requirement that all critical pairs have to 
be joinable can be too strict. 2 Another important consequence is that in the case of finite V, 
Toyama's modularity result for confluence [8] does no longer hold. 

Corollary 1. Confluence is not a modular property of TRSs for an arbitrary set of variables. 

To summarize, it is not possible to formalize the critical pair theorem for arbitrary sets V. 
Hence, we formalized it for strings, where it is conveniently possible to rename variables of rules 
apart without changing the type of variables (by using different prefixes). Of course, if V is 
infinite we can always obtain a renaming function (take some fresh variables) by the Axiom of 
Choice. However, then the definition of critical pairs is not executable. 

Theorem 2. A TRS over T(T, String) is locally confluent iff all critical pairs are joinable. 

Note that the theorem does not require any variable-condition for 1Z. Hence, 1Z may, e.g., 
contain left-hand sides which are variables or free variables in right-hand sides. 

2 We have only shown this result for |V| = 5. However, 1Z C can be adapted to any finite V with 5 < |V|. 
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4 Implementation and Conclusion 

We performed experiments 3 for completion proofs using KBCV [G] and MKBTT [9] (on 115 ESs). 4 
Within a time limit of 300 seconds, KBCV could complete 86 ESs and MKBTT 80 ESs while both 
tools together succeeded on 94. The corresponding 94 completion proofs could be certified by 
CelA (version 2.4). For an evaluation of other completion tools we refer to [4]. 

In our experiments we considered both possibilities (mentioned at the end of Section 2) to 
ensure f-Kjjj C While KBCV 1.6 performs the recall phase to explicitly construct I <H>£ r for 
each I — > r S 7Z, KBCV 1.7 just exports the relevant history entries, which are used as auxiliary 
equations. Hence it is not surprising that from the 86 ESs which KBCV 1.6 could complete only 
80 have been certified. For two ESs (TPTP_GRP487-l_theory and TPTP_GRP_490-l_theory) 
the recall phase did not terminate within the time limit and for the remaining ESs (LS94_P1, 
TPTP_GRP_481-l_theory, TPTP_GRP_486-l_theory, TPTP_GRP_490-l_theory) the certificate 
was too large (365 MB, 230 MB, 406 MB, 581MB) for CelA. However, when using auxiliary 
equations all proofs could be computed and certified (typically within a second). Hence further 
optimization of the proof format seems dispensable. 

While MKBTT follows recording completion, CiiME3 implements an annotated version of or- 
dered completion [2]. Here — in contrast to our approach — the history is not saved as a stand- 
alone component but directly integrated into terms, equations, and rules. Hence a term t comes 
with an original version t , a current version t* , and a reduction sequence from t° to t*. Simi- 
larly an equation s ~ t also contains all intermediate (rewrite) steps that show that both terms 
are equal. It requires further investigations to evaluate the pros and cons of the two approaches. 

Acknowledgments: We thank Sarah Winkler for integrating certifiable output into MKBTT 
and helpful discussion. 
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